Re: [dane] Digest Algorithm Agility discussion

Viktor Dukhovni <viktor1dane@dukhovni.org> Sun, 23 March 2014 19:57 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 780531A09BF for <dane@ietfa.amsl.com>; Sun, 23 Mar 2014 12:57:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlGijyk7Hh2j for <dane@ietfa.amsl.com>; Sun, 23 Mar 2014 12:57:19 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 47FCE1A09AE for <dane@ietf.org>; Sun, 23 Mar 2014 12:57:18 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 787442AB137; Sun, 23 Mar 2014 19:57:17 +0000 (UTC)
Date: Sun, 23 Mar 2014 19:57:17 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140323195717.GA13649@mournblade.imrryr.org>
References: <20140315051704.GY21390@mournblade.imrryr.org> <0l4n2sa5a0.fsf@wjh.hardakers.net> <20140322074737.GA5739@anguilla.noreply.org> <20140323174205.63C6111B2111@rock.dv.isc.org> <20140323182106.GX24183@mournblade.imrryr.org> <20140323185718.7A84711B2CB8@rock.dv.isc.org> <20140323191037.GA1469@anguilla.noreply.org> <20140323192557.7716111B342A@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140323192557.7716111B342A@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/nWL06ulZHnj6HHF3uG1mNLm9AFs
Subject: Re: [dane] Digest Algorithm Agility discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Mar 2014 19:57:21 -0000

On Mon, Mar 24, 2014 at 06:25:57AM +1100, Mark Andrews wrote:

> > Site A only publishes SHA1 entries.  Would rather do unauthenticated TLS
> > than trust SHA1?
> 
> You left out - report and refuse to send until fixed.

Broken is not a binary state.  Before previously reasonably sound
algorithms are fully broken, they are first tarnished, and our
confidence in their strength begins to fray.

Refuse to send is a strong reaction, when an algorithm is only
tarnished, with no known practical attacks, but known signs of
weakness.  Have you disabled RC4 in your browser yet?  If not, your
rather principled stand is "do as I say, not do I as do".

> > Site B publishes both SHA2-512 and SHA1 entries.  Would you still want
> > to trust SHA1?
> 
> Once you decide SHA1 is not acceptable you ignore the records with SHA1
> hashes.

A flag day, one can sensibly avoid, by incrementally phasing out
(hypothetically) SHA1 as server publish stronger records that include
(hypothetically) SHA1 to accommodate weaker clients in addition to stronger
digests.

> Publishing new hashes is trivial and will remain trivial.

Flag days remain a major deployment problem.

> Once a algorithm has reached the state where you don't trust it for a
> purpose you don't use it for that purpose.

That's fine, except at Internet scale.  Windows 2003 servers still
top out at RC4-SHA1, and at least Exchange 2003 has a broken 3DES
implementation.   Many server operators only enable RC4 for
performance reasons.

When exactly should you or I disable RC4-SHA1 support?  Fortunately
in TLS cipher suites are negotiated.  I am trying to do the same
for DANE.

-- 
	Viktor.